import * as pulumi from "@pulumi/pulumi"; /** * Manages a policy rule definition on a management group or your provider subscription. * * Policy definitions do not take effect until they are assigned to a scope using a Policy Assignment. * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const policy = new azure.policy.Definition("policy", { * name: "accTestPolicy", * policyType: "Custom", * mode: "Indexed", * displayName: "acceptance test policy definition", * metadata: ` { * \\"category\\": \\"General\\" * } * * `, * policyRule: ` { * "if": { * "not": { * "field": "location", * "in": "[parameters('allowedLocations')]" * } * }, * "then": { * "effect": "audit" * } * } * `, * parameters: ` { * \\"allowedLocations\\": { * \\"type\\": \\"Array\\", * \\"metadata\\": { * \\"description\\": \\"The list of allowed locations for resources.\\", * \\"displayName\\": \\"Allowed locations\\", * \\"strongType\\": \\"location\\" * } * } * } * `, * }); * ``` * * ## Import * * Policy Definitions can be imported using the `policy name`, e.g. * * ```sh * $ pulumi import azure:policy/definition:Definition examplePolicy /subscriptions//providers/Microsoft.Authorization/policyDefinitions/ * ``` * * or * * ```sh * $ pulumi import azure:policy/definition:Definition examplePolicy /providers/Microsoft.Management/managementgroups//providers/Microsoft.Authorization/policyDefinitions/ * ``` */ export declare class Definition extends pulumi.CustomResource { /** * Get an existing Definition resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: DefinitionState, opts?: pulumi.CustomResourceOptions): Definition; /** * Returns true if the given object is an instance of Definition. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is Definition; /** * The description of the policy definition. */ readonly description: pulumi.Output; /** * The display name of the policy definition. */ readonly displayName: pulumi.Output; /** * The id of the Management Group where this policy should be defined. Changing this forces a new resource to be created. */ readonly managementGroupId: pulumi.Output; /** * The metadata for the policy definition. This is a JSON string representing additional metadata that should be stored with the policy definition. */ readonly metadata: pulumi.Output; /** * The policy resource manager mode that allows you to specify which resource types will be evaluated. Possible values are `All`, `Indexed`, `Microsoft.ContainerService.Data`, `Microsoft.CustomerLockbox.Data`, `Microsoft.DataCatalog.Data`, `Microsoft.KeyVault.Data`, `Microsoft.Kubernetes.Data`, `Microsoft.MachineLearningServices.Data`, `Microsoft.Network.Data` and `Microsoft.Synapse.Data`. * * > **Note:** Other resource provider modes only support built-in policy definitions but may later become available in custom definitions, these include; `Microsoft.ContainerService.Data`, `Microsoft.CustomerLockbox.Data`, `Microsoft.DataCatalog.Data`, `Microsoft.KeyVault.Data`, `Microsoft.Kubernetes.Data`, `Microsoft.MachineLearningServices.Data`, `Microsoft.Network.Data` and `Microsoft.Synapse.Data`. [See here](https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure#resource-provider-modes) for more details. */ readonly mode: pulumi.Output; /** * The name of the policy definition. Changing this forces a new resource to be created. */ readonly name: pulumi.Output; /** * Parameters for the policy definition. This field is a JSON string that allows you to parameterize your policy definition. Reducing the number of parameters forces a new resource to be created. */ readonly parameters: pulumi.Output; /** * The policy rule for the policy definition. This is a JSON string representing the rule that contains an if and a then block. */ readonly policyRule: pulumi.Output; /** * The policy type. Possible values are `BuiltIn`, `Custom`, `NotSpecified` and `Static`. Changing this forces a new resource to be created. */ readonly policyType: pulumi.Output; /** * A list of role definition id extracted from `policyRule` required for remediation. */ readonly roleDefinitionIds: pulumi.Output; /** * Create a Definition resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: DefinitionArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering Definition resources. */ export interface DefinitionState { /** * The description of the policy definition. */ description?: pulumi.Input; /** * The display name of the policy definition. */ displayName?: pulumi.Input; /** * The id of the Management Group where this policy should be defined. Changing this forces a new resource to be created. */ managementGroupId?: pulumi.Input; /** * The metadata for the policy definition. This is a JSON string representing additional metadata that should be stored with the policy definition. */ metadata?: pulumi.Input; /** * The policy resource manager mode that allows you to specify which resource types will be evaluated. Possible values are `All`, `Indexed`, `Microsoft.ContainerService.Data`, `Microsoft.CustomerLockbox.Data`, `Microsoft.DataCatalog.Data`, `Microsoft.KeyVault.Data`, `Microsoft.Kubernetes.Data`, `Microsoft.MachineLearningServices.Data`, `Microsoft.Network.Data` and `Microsoft.Synapse.Data`. * * > **Note:** Other resource provider modes only support built-in policy definitions but may later become available in custom definitions, these include; `Microsoft.ContainerService.Data`, `Microsoft.CustomerLockbox.Data`, `Microsoft.DataCatalog.Data`, `Microsoft.KeyVault.Data`, `Microsoft.Kubernetes.Data`, `Microsoft.MachineLearningServices.Data`, `Microsoft.Network.Data` and `Microsoft.Synapse.Data`. [See here](https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure#resource-provider-modes) for more details. */ mode?: pulumi.Input; /** * The name of the policy definition. Changing this forces a new resource to be created. */ name?: pulumi.Input; /** * Parameters for the policy definition. This field is a JSON string that allows you to parameterize your policy definition. Reducing the number of parameters forces a new resource to be created. */ parameters?: pulumi.Input; /** * The policy rule for the policy definition. This is a JSON string representing the rule that contains an if and a then block. */ policyRule?: pulumi.Input; /** * The policy type. Possible values are `BuiltIn`, `Custom`, `NotSpecified` and `Static`. Changing this forces a new resource to be created. */ policyType?: pulumi.Input; /** * A list of role definition id extracted from `policyRule` required for remediation. */ roleDefinitionIds?: pulumi.Input[]>; } /** * The set of arguments for constructing a Definition resource. */ export interface DefinitionArgs { /** * The description of the policy definition. */ description?: pulumi.Input; /** * The display name of the policy definition. */ displayName: pulumi.Input; /** * The id of the Management Group where this policy should be defined. Changing this forces a new resource to be created. */ managementGroupId?: pulumi.Input; /** * The metadata for the policy definition. This is a JSON string representing additional metadata that should be stored with the policy definition. */ metadata?: pulumi.Input; /** * The policy resource manager mode that allows you to specify which resource types will be evaluated. Possible values are `All`, `Indexed`, `Microsoft.ContainerService.Data`, `Microsoft.CustomerLockbox.Data`, `Microsoft.DataCatalog.Data`, `Microsoft.KeyVault.Data`, `Microsoft.Kubernetes.Data`, `Microsoft.MachineLearningServices.Data`, `Microsoft.Network.Data` and `Microsoft.Synapse.Data`. * * > **Note:** Other resource provider modes only support built-in policy definitions but may later become available in custom definitions, these include; `Microsoft.ContainerService.Data`, `Microsoft.CustomerLockbox.Data`, `Microsoft.DataCatalog.Data`, `Microsoft.KeyVault.Data`, `Microsoft.Kubernetes.Data`, `Microsoft.MachineLearningServices.Data`, `Microsoft.Network.Data` and `Microsoft.Synapse.Data`. [See here](https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure#resource-provider-modes) for more details. */ mode: pulumi.Input; /** * The name of the policy definition. Changing this forces a new resource to be created. */ name?: pulumi.Input; /** * Parameters for the policy definition. This field is a JSON string that allows you to parameterize your policy definition. Reducing the number of parameters forces a new resource to be created. */ parameters?: pulumi.Input; /** * The policy rule for the policy definition. This is a JSON string representing the rule that contains an if and a then block. */ policyRule?: pulumi.Input; /** * The policy type. Possible values are `BuiltIn`, `Custom`, `NotSpecified` and `Static`. Changing this forces a new resource to be created. */ policyType: pulumi.Input; }